Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««23456»»

We Don't Care about Data and IT Security Expand / Collapse
Author
Message
Posted Monday, August 11, 2014 2:35 PM


SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Tuesday, September 23, 2014 7:42 PM
Points: 635, Visits: 2,215
As for teaching security in schools, that would be a waste of time. I heard about one school that went through and designed the whole security system so students would not have admin rights on the PC's and all the rest. It only took 48 hours after the schools opened for the year for the security system to crumble from the students hacking it.

I also read an article that banks would hire a security company to do an audit of their branches. The four guys showed up in fireman's blues in a plain white van, come in and say we're doing a yearly fire/safety inspection. When they left their was a tap on several keyboard wires, a USB plugged in that had spyware loaded on it and the server had a floppy in it that had a virus on it, and was setup to accept RDP sessions from anywhere on the internet.

So it isn't just remote hackers that you need to be worried about.




----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
Post #1602062
Posted Monday, August 11, 2014 2:52 PM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Yesterday @ 3:13 PM
Points: 408, Visits: 1,031
That sounds like Auditors who know their stuff. I have been through audit after audit the last few years and have found from an IT perspective the auditors don't come close to understanding IT security or even the issues. It is disturbing to have them come in and audit our IT when it is clear they really only understand accounting. I figure if they aren't reading Brian Krebs on a regular basis they aren't up to speed (that isn't a guarantee though of course).
Post #1602074
Posted Monday, August 11, 2014 6:00 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, September 8, 2014 3:44 PM
Points: 1, Visits: 19
Apropos to this topic, how many of us as DBAs or database developers has had exposure to concepts like minimizing the attack surface of a database, or follow principles of least privilege in designing a database? Or, even if you do, what kind of organizational pressures do you feel to compromise your security design?

I'm constantly surprised at how many systems are designed with admin privilege required as a proxy for security. In practice, though, that strategy requires granting admin access to too many actors to be secure. (i.e. more permissions granted than the minimum each actor needs to accomplish their task in the system.)

And, while the same system could be designed with lesser permissions granted, once a database is fielded that requires admin privilege, it becomes a self-reinforcing strategy that is set in deeper and deeper concrete as the system lives out its natural life.
Post #1602117
Posted Tuesday, August 12, 2014 2:01 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:53 AM
Points: 5,596, Visits: 3,447
John Hanrahan (8/11/2014)
No they copied the code once it was approved to a network location...


Unless they retyped it the "approved ... network location" was connected in some way to the other area.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1602170
Posted Tuesday, August 12, 2014 6:13 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 5:01 AM
Points: 1,029, Visits: 1,751
K. Brian Kelley (8/11/2014)
venoym (8/11/2014)
I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied.


It provides an additional level of protection. I'm not denying that. However, the way most SCADA systems have been built, what's behind that data diode is ripe for the picking. You can't add additional layers of protection without breaking the system. Why do they have that attitude? Because they trust the air gap/data diode is the be all/end all. It isn't. It's just a broke and outdated idea in infosec.


I realize this will probably fall on deaf ears. If you rely on only the Data Diode/Air Gap, you deserve to fail, and will fail. An Air-Gap/Data Diode is required by Federal Regulations for Nuclear. Consider, you can't take a system that is a hodgepodge of equipment from every decade back to the 1970's and expect to run the latest and greatest IDS/IPS and anti-malware on every device. Most devices in a SCADA system are simple PLC/firmware devices that only know "point A and set points X, Y and Z". Servers and workstations need to be protected by Best Practices regardless of Air-Gap.

To blanketly state that a Data Diode/Air-Gap is broken and outdated Information Security is disingenuous at best. They work as long as you continue to do the other Cyber Security Best Practices in addition. Like anything, they are a tool to be used and used properly. Similar to the use of NULLs or GOTO, there are valid and GOOD uses of them (Yes, I realize that half of the people reading this just tuned out, but seriously... do some objective research). Finally I'll state that you do NOT want a Nuclear plant to have its control and protection systems to have a 2 way connection to the Internet.
Post #1602238
Posted Tuesday, August 12, 2014 6:48 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Yesterday @ 7:14 AM
Points: 15, Visits: 295
Part of the problem with security issues is the nature of the feedback loops to the people who have the power to ensure that security measures are central to the way an organization works.

The feedback loop to a client who wants you to carry out some work for them is likely to be both continuous and subject to a very definite negative outcome if you fail to meet expectations - which will almost never go much beyond cost and timescale.

It is therefore easy to continuously prioritise that delivery at the expense of time and resource that could ensure better adherence to good practice in the security field. Here the feedback loop is slow and uncertain. Slack practice will increase the probability of a security breach, but compared to the immediacy and certainty of client feedback it is easy to dismiss.

IT staff, in my experience, do care and will do their best to maximize security and data integrity within the limitations they have imposed on them, and will try to escalate their concerns. However, power doesn't lie with those people and business priorities generally mean that anything that may increase time or cost on a project gets dismissed with a JFDI instruction from those who do hold the decision making power.
Post #1602251
Posted Tuesday, August 12, 2014 7:09 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
John Hanrahan (8/11/2014)
That sounds like Auditors who know their stuff. I have been through audit after audit the last few years and have found from an IT perspective the auditors don't come close to understanding IT security or even the issues. It is disturbing to have them come in and audit our IT when it is clear they really only understand accounting. I figure if they aren't reading Brian Krebs on a regular basis they aren't up to speed (that isn't a guarantee though of course).


That crew probably bill themselves as penetration testers. That's to distinguish from the auditors who are pretty much all paper with respect to controls.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1602271
Posted Tuesday, August 12, 2014 7:13 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
venoym (8/12/2014)
K. Brian Kelley (8/11/2014)
venoym (8/11/2014)
I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied.


It provides an additional level of protection. I'm not denying that. However, the way most SCADA systems have been built, what's behind that data diode is ripe for the picking. You can't add additional layers of protection without breaking the system. Why do they have that attitude? Because they trust the air gap/data diode is the be all/end all. It isn't. It's just a broke and outdated idea in infosec.


I realize this will probably fall on deaf ears. If you rely on only the Data Diode/Air Gap, you deserve to fail, and will fail. An Air-Gap/Data Diode is required by Federal Regulations for Nuclear. Consider, you can't take a system that is a hodgepodge of equipment from every decade back to the 1970's and expect to run the latest and greatest IDS/IPS and anti-malware on every device. Most devices in a SCADA system are simple PLC/firmware devices that only know "point A and set points X, Y and Z". Servers and workstations need to be protected by Best Practices regardless of Air-Gap.

To blanketly state that a Data Diode/Air-Gap is broken and outdated Information Security is disingenuous at best. They work as long as you continue to do the other Cyber Security Best Practices in addition. Like anything, they are a tool to be used and used properly. Similar to the use of NULLs or GOTO, there are valid and GOOD uses of them (Yes, I realize that half of the people reading this just tuned out, but seriously... do some objective research). Finally I'll state that you do NOT want a Nuclear plant to have its control and protection systems to have a 2 way connection to the Internet.


It's not falling on deaf ears. You understand that there is a need for more. However, go back and look at how many SCADA systems can't be protected from insecure installations because you'll break something or, at best, you'll render it out of support. Why is that?

It's because too many in the industry rely on data diode/air gap *exclusively*. Too many systems are designed where this is the only protection. That's my point. That's the point of that article. You're arguing the same point, that there needs to be more on that single factor of protection. The mistake you're making is extending your own understanding and practice to the rest of your industry.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1602275
Posted Tuesday, August 12, 2014 11:51 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Today @ 12:10 PM
Points: 361, Visits: 2,517
K. Brian Kelley (8/12/2014)
venoym (8/12/2014)
K. Brian Kelley (8/11/2014)
venoym (8/11/2014)
I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied.


It provides an additional level of protection. I'm not denying that. However, the way most SCADA systems have been built, what's behind that data diode is ripe for the picking. You can't add additional layers of protection without breaking the system. Why do they have that attitude? Because they trust the air gap/data diode is the be all/end all. It isn't. It's just a broke and outdated idea in infosec.


I realize this will probably fall on deaf ears. If you rely on only the Data Diode/Air Gap, you deserve to fail, and will fail. An Air-Gap/Data Diode is required by Federal Regulations for Nuclear. Consider, you can't take a system that is a hodgepodge of equipment from every decade back to the 1970's and expect to run the latest and greatest IDS/IPS and anti-malware on every device. Most devices in a SCADA system are simple PLC/firmware devices that only know "point A and set points X, Y and Z". Servers and workstations need to be protected by Best Practices regardless of Air-Gap.

To blanketly state that a Data Diode/Air-Gap is broken and outdated Information Security is disingenuous at best. They work as long as you continue to do the other Cyber Security Best Practices in addition. Like anything, they are a tool to be used and used properly. Similar to the use of NULLs or GOTO, there are valid and GOOD uses of them (Yes, I realize that half of the people reading this just tuned out, but seriously... do some objective research). Finally I'll state that you do NOT want a Nuclear plant to have its control and protection systems to have a 2 way connection to the Internet.


It's not falling on deaf ears. You understand that there is a need for more. However, go back and look at how many SCADA systems can't be protected from insecure installations because you'll break something or, at best, you'll render it out of support. Why is that?

It's because too many in the industry rely on data diode/air gap *exclusively*. Too many systems are designed where this is the only protection. That's my point. That's the point of that article. You're arguing the same point, that there needs to be more on that single factor of protection. The mistake you're making is extending your own understanding and practice to the rest of your industry.


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!
Post #1602396
Posted Tuesday, August 12, 2014 12:31 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
patrickmcginnis59 10839 (8/12/2014)


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!


Venoym believes in defense in depth and not relying on one mechanism to protect your kingdom. This is the best approach. There's nothing wrong here.

Unfortunately, there are too many in the development, implementation, and administration of SCADA software that don't think the same way. They believe that one defense, the air gap/data diode, can protect them from any and all attacks.

Venoym's mistake, at least from what I've seen in the posts, is in thinking that more folks in the industry think like Venoym does. From what I've seen of the SCADA industry, Venoym is the exception, not the rule, when it comes to thinking about security and how to properly apply it.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1602411
« Prev Topic | Next Topic »

Add to briefcase «««23456»»

Permissions Expand / Collapse